Two-factor authentication: how many "factors" are needed to make it secure

[Father]

In today's reality, every user has a dozen or more accounts, from social networks and marketplaces, to banks and government services. Some of them have little impact on the user's daily life, and their loss in the degree of criticality is at the level of "a little annoying". Hacking others, on the contrary, can lead to the implementation of many unacceptable events, from data theft to issuing a micro-loan to the victim.

The main security feature that services can offer their users is two – factor authentication. It allows you to reduce the risk of hacking your account even if the attackers found out the login and password pair, since the "second factor"comes into play.

Dmitry Ovchinnikov
Chief Specialist of the Integrated Information Security Systems Department of Gazinformservis

Two-factor authentication significantly increases the security of authentication when accessing information resources, but it is not an ultimate tool for combating illegitimate access. Its use significantly complicates hacking and forces cybercriminals to resort to social engineering methods or more complex email hacking schemes. If social engineering is already well known to bank users through calls from scammers, then purely hacker schemes are usually not familiar to a wide range of people.

This article will analyze the main advantages and disadvantages of two-factor protection, who needs more factors and in what cases, as well as common ways to hack multi-factor protection.

What is two-factor authentication?​

For a long time, logging in to any system was one-factor, and consisted of a pair of username and password. At the same time, the user's email address or nickname was often used as a login, at least in public services – this information is at least not confidential.

However, the growth of cyber attacks, both massive – on users of services, and targeted-on the "service provider "(primarily on the financial sector), has led to the need to create more reliable authentication methods.

Roman Miskevich
Technical Director for ANWORK

Two-factor authentication can protect your data from external attacks. Its only drawback is the need to use related software and hardware complexes, storage facilities, and software for reading data.

Despite the fact that statistics on hacking systems protected by two-factor authentication are practically non-existent, they do not provide a full guarantee of security, but they are much more effective than just entering a username and password. Today in Russia it is used in such advanced industries as banking-mobile and web, telecom and other areas where it is possible to open personal accounts of end users.

Specific example: you can log in to your personal account after entering your credentials in the interface, as well as specifying a one-time password (in the form of an SMS or push notification) sent to your smartphone or email.

Two-factor authentication is a form of authentication that involves two verification steps:

• classic, with a password;
• additional, using an SMS code, call, biometrics, email, and so on.

At the same time, it is important not to confuse a two-factor input with a "duplicate" one, when one of the factors is enough to enter. For example, when unlocking a smartphone, most users can use a code or biometrics, but very rarely – two factors in sequence.

Alexey Vinnichenko
Head of the Information Security Department of Tsifromatika

Enabling multi-factor authentication does not guarantee full protection of your account from hacking, but only complicates the task for cybercriminals. For example, when using email confirmation, an attacker can hack into an email account and gain access to confirmation codes, when using SMS confirmation, they can gain access to a mobile device or clone a SIM card, and when using TOTP authentication, they can steal the QR code used to configure code generation tools. Also, an attacker can simply use social engineering methods to get a confirmation code.

The advantage of two-factor authentication is that it complicates the chain of attack on the user. It is no longer enough for an attacker to simply get a password, which, in modern realities, is quite simple – many merged databases immediately contain hashed passwords or a pool of probable user passwords. Now the hacker must also gain access to the second factor – a one-time SMS code, push notification, email, or biometric data.

It is important to understand that cybercrime, like any profit-seeking activity, is adaptive. If people massively "switch" to two factors today, then tomorrow there will be a lot of solutions focused on overcoming this type of protection.

What are the authentication factors?​

Sergey Bespalov
Chief Architect of IMBA IT

Speaking of the "third factor", it is necessary to understand that all three factors must have different characteristics:
1. knowledge factor (password)
2. ownership factor (authentication device)
3. property factor (biometrics)
The need to use the third authentication factor should be based on the criticality of the information, as this will definitely complicate the use of online services a little.

The very first and classic factor that can be said to have appeared along with the very concept of authentication is a static password that the user sets. At the same time, the service can set requirements for password characteristics, such as the length, use of special characters, numbers, registers, and so on.

The second factor is usually related to the user's device and alternative services that the user has a priori. The simplest option is a one-time SMS code or an email message. A more advanced version is push notifications or messages in the service itself or its app. For example, to log in to your Telegram account on a new device, you can enter the code that comes to the user's account. Push notifications are actively used by banks, as they allow you to isolate third-party services from interaction, for example, the same mobile operator.

Roman Laminin
Leading Information Security Specialist of the eXpress Corporate communications and mobility platform

It is important to authenticate the device from which the user logs in to the app.
Optimal – a digital impression of the device based on behavioral analysis, proximity methods (linking devices via Wi-Fi and Bluetooth), and opt out of SMS messages in favor of push notifications.
There are interesting world practices. In Asia, for example, to log in to MMORPGs on the desktop (not Public Services, of course), the authorization algorithm included a standard username / password, Bluetooth connection of the phone to which the account is linked, and verification of the IP addresses of both devices.
This algorithm gave the result that it became impossible to withdraw the account.

The third factor usually requires physical interaction. There are two main options here:

1. Biometrics. It is most common, since most users have devices that can read the oval of a face, voice, or fingerprint – smartphones.
2. Tokens. A physical key, flash drive, or card is usually used in the commercial sector to gain corporate access to sensitive ICS.

At the same time, the number of authentication factors is limited only by the ratio of the sensitivity of the systems to which access is restricted to the convenience of accessing these systems or services.

Two-factor authentication today​

Konstantin Korsakov
chief architect of RooX

Two-factor authentication has finally passed into the category of "hygienic minimum" for services available to the general user. Its importance was recorded back in 2017 in NIST immediately in the standard format, then in 2018 it was included in GOST R 57580.1-2017 in the context of financial transactions, but it really gained mass distribution only recently. Two-factor authentication is a relatively simple security tool, the effectiveness of which is proven in practice (the number of successful attacks is reduced by 80-90% according to Google and Microsoft).

The banking industry has become the driving force behind the introduction of two-factor authentication in Russia and around the world.

The average user may encounter this tool when making almost any online purchase:

1. The first factor is the CVC code that is written on the user's map. Without it, you will never be able to buy anything at all.
2. The second factor is the SMS or push password that you need to enter, usually if the purchase exceeds a certain fixed amount.

Public services also follow a similar path of mandatory presence of two factors. For example, "two-factor payment" will become mandatory for access to public services in June this year.

Alexander Gerasimov
CISO Awillix

Techniques and attacks that are currently in the arsenal of intruders allow almost guaranteed possession of user accounts without DFA on various Internet resources.
In Public Services, people perform actions that directly affect their lives. This can be much more critical than a regular bank transfer: making a loan, using sensitive information for fraud, or using other services related to public services for their own purposes. Today, the President approved the introduction of digital passports in public services. This imposes maximum information security requirements for those who will use them.

We can say that two-factor authentication, today, has become a "minimum program" for a user who wants to ensure their security. This applies not only to sensitive services with direct access to money. For example, in recent months, attacks on instant messengers, in particular on Telegram, have become more frequent, and many experts have recommended that their audience include the "second factor" for their accounts.

But it is important to understand that the presence of the second authentication factor, as well as the tenth, is a tool for complicating the attack, and it is through complication that the probability of implementation decreases. But even if a conditional person uses ten tokens of different manufacturers to access the account, this will not save them if they themselves transfer them to scammers.

Sergey Tsvetkov
Head of the IT department at Razvitium

Unfortunately, we cannot say that the presence of the second factor makes 100% protection. Although the SMS code authorization method is more reliable than the email code, it is still quite vulnerable. The fact is that scammers can copy your SIM card and easily get the authentication code, without your knowledge. In this case, they are "helped" by mobile operators, who already have vulnerabilities in their systems. It is enough to reissue your SIM card, even for a short period of time, to get the desired code and get access to your account. We regularly observe court proceedings, but the problem does not seem to be solved globally.

The second aspect related to the risks of two-factor authentication is the risk of an attack on the service itself. If it is compromised, the protection on the user's side will no longer be particularly important and will not become an obstacle for attackers to implement an invalid event.

How two-factor authentication is hacked​

The vast majority of attacks on a user are mass attacks that target what the person is doing:

• basically it has a low level of digital literacy;
• inattentive to what is happening in its digital space;
• is under the influence of distractions in a given time unit.

The human factor and human vulnerability still prevail over the technical imperfection of services and security tools. If a user in 2023 does not instinctively understand that the password code cannot be passed to anyone, never and under any circumstances-they can only be reliably protected by completely refusing to use digital services.

Viktor Chashchin
Chief Operating Officer of the MULTI-FACTOR Company

First of all, this is social engineering: previously, scammers had to "persuade" the user to share their username and password, and now - the second factor. There are also second factors that are more vulnerable to technical hacking: SMS messages, one-time code generators. The former are intercepted by an attack on the GSM protocol, and the latter - by the fact that the key for generating a one-time code is usually "merged" together with other user credentials.

At the same time, it is important to note that the number of users who have already intuitively learned to distinguish scammers from real service representatives is growing, and it is increasingly difficult for attackers to ingratiate themselves with confidence. But this does not eliminate the problem with the following popular, "purely hacker" method-the use of HPE.

Anton Kuznetsov
R-Vision Senior Information Security Engineer

One of the most popular circumvention options is to infect the victim's mobile phone with malicious software: the malware can intercept push notifications and send code to intruders. As an example, the Trojan program for Android Cerberus can intercept a one-time confirmation code (OTP, one-time passcode) requested by the user to confirm any actions or operations on the network.

At the same time, the smartphone remains the most popular "delivery point", since its level of protection is traditionally lower than a PC, especially if we are talking about Android-based devices, under which most mobile malware is written.

The smartphone is also attractive because it is always with its user, which means that there are many more places where it can be "infected".

Denis Kondratiev
Security specialist, game developer

Man-in-the-middle attacks involve code interception. One common method is to use unsecured public Wi-Fi networks, as these networks can easily be intercepted.
Finally, hackers can inject malware or use brute-force attacks that involve trying to simply iterate through the codes until they find the right one. It is important to note that while these methods can be effective, they require a certain level of expertise and effort on the part of the attacker.

Also, the type of factor that the attacker plans to compromise also matters. Traditionally, SMS codes are the least burglar-proof, since they were implemented earlier than anything else, which means that attackers had more time to search for different attack vectors.

Andrey Samolyak
Head of the Information Security Implementation Department at Compliance Soft

Each type of authentication has its own approaches to hacking and compromise. For example, when using one-time passwords via SMS, an attacker can use a spoof base station of a mobile operator, which makes it possible to intercept calls and SMS messages unnoticed by the user. Do not forget that the infrastructure of services that provide social and other services to the population can also be attacked.
However, the introduction and use of the second authentication factor significantly reduces the number of cases of user data compromise.

The average user should clearly understand that two-factor authentication is not a "know-how" against which hackers have not yet found the appropriate tools. It qualitatively increases the level of security, as well as the "knowledge threshold" that a cybercriminal must have to implement an attack, but in no case reduces the risks to zero.

Alexey Morozkov
Team Leader of the ICL Services Cybersecurity Management Center

There can be many ways, including both the simplest and intricate ways to steal accounts.
If we are talking about SMS codes, then attackers have an option, for example, to spy on the code if a person pops up messages with text on the locked screen of a smartphone, or with the help of virus programs, intercept all incoming messages to the smartphone, and the user may not even know about it.
Spoofing the SIM card and linking it to the victim's number is a more complex attack, and it may be related to the vulnerability of the ACS-7 protocol.;
If we talk about other methods of the second factor, then the use of authenticator applications creates very serious difficulties for attackers, and we can say that this is even an industry standard in the modern world of 2FA.
As for web applications, it is possible that an attacker will not try to get the second factor, but will look for vulnerabilities in the web application and try to get privileged access with all the ensuing consequences. In this regard, they will not really care whether there is a second factor or not, when they will have privileged access to the database.

From the point of view of what the user can do to protect themselves, there is actually only one recommendation – to be careful. If your student friend, with whom you have been exchanging only mutual congratulations in the messenger for the past five years, suddenly asks you to vote in a drawing contest for his daughter (whom he doesn't have yet), just don't click on the link.

If your bank's service "suddenly" opened technical support directly in the messenger, without announcements or notifications-this is also a reason to think. Also, it is very important to realize that the "philistine", unlike an information security expert, a priori does not know a tenth of the methods of attacking his account.

So how many factors are needed​

The answer to this question directly depends on the service you want to access. For example, if we take BigTech as an example, their data center is usually protected by several identification lines at once, which can include several types of biometrics, and the use of a token.

But this is only if we are talking about access to a very sensitive company infrastructure. The same approach in the field of public services, where there is competition, will simply kill the service – users will go to a place where they do not need to enter passwords and codes for ten minutes each time they log in.

Pavel Kuznetsov
Product Director of the company "Garda Technologies"

In this case, the selection task is divided into at least two parts: to make the factor convenient for users so as not to scare them away to another service provider (financial, if we are talking about banks), and also to choose a solution that effectively increases security. I will not make a direct recommendation, but I will note that for particularly critical operations, it is even possible to require a personal presence, and for "second – tier" operations (money transfer, starting with the amount N), it is possible to use, for example, key generators. Moreover, such generators can be implemented both as a keyfob device and as an additional application for a smartphone.

The task of the service in this context is reduced to two theses:

• oblige the user to use the minimum level of protection, which is now increasingly used by 2FA;
• offer tools for additional protection that the user can use at their own discretion.

With this approach, a balance is achieved between ensuring information security and the comfort of using the service. It is no secret that at the moment, and probably in the foreseeable future, the user's comfort of interaction will be one of the determining factors immediately following the profitability.

Thus, two-factor authentication seems to be the ideal solution for the mass segment, since it provides a balance of comfort and security. But in the corporate segment, additional security measures may well be used, including the third factor.

Sergey Opivalov
Senior Software Engineer в Gradle Inc

Third factor Options:
1. A possible third factor may be the physical security key, which is a small hardware device that connects to the user's computer or mobile device to provide an additional level of authentication. These keys can use various technologies, such as USB, NFC, or Bluetooth, and often require the user to physically press a button or touch the key to generate a code that is used to authenticate the user.
2. Another possible third factor may be biometric authentication, such as fingerprint or face recognition. This will require the user to provide a unique physical characteristic to authenticate their identity in addition to their password and a second factor.
It is important to note that while the third factor can improve security, it is not always necessary or practical for every use case. It is important to evaluate the risks and benefits of adding a third factor and determine whether it is appropriate for your specific security needs.

However, this does not mean that the third factor should be a "cactus", that is, an inconvenient tool for the user. Since a person tends to follow the path of least resistance, the difficult-to-use factor will be "artificially simplified", as it happens with complex passwords that are written on a sticker and attached to the monitor of a working PC, or stored in messages to themselves in the messenger.

In the user segment, for sensitive services, the third factor is likely to be biometrics, since this factor requires minimal effort from the user. A user of the service probably has the technical resources to integrate it – this is their smartphone.

Nikolay Khechumov
Information security expert, Avito

If we talk about the "third factor", what should it be and how appropriate is it for users?
There are different ways to talk about the third factor. Purely academically, this is something that a person can neither forget nor lose: fingerprints, retinal patterns, facial features, and so on. That is, we are talking about the need for sensors that should ensure the operation of the third factor. There are both technical and legal problems with this. The biometrics mechanisms that we currently see on mobile devices use it to unlock essentially the second factor and so far do not explicitly participate in the authentication chain on specific resources. But there is already a movement in this direction-it is commonly called passwordless-projects are developing, but have not yet received distribution:
- WebAuthIn;
- PassKey (based on WebAuthIn);
- SQRL.
Mass penetration of these standards will also be extremely convenient for users, and will significantly increase the security of their accounts.
Sometimes the third factor is just another one-time code that the user must take not from SMS - for example, from an email message, from a special application, or even from a pre-issued sheet. In my opinion, TOTP codes from Authenticator applications are much safer than SMS, but for the mass user, alas, they are not so convenient and understandable.

However, integration of this type of authentication also requires additional capacity on the part of the service, including ensuring secure storage of biometric data and compliance with legal requirements. But if we are talking about international services, then at the moment it is quite difficult to implement such an approach, since the regulation of working with citizens ' biometrics varies quite a bit in different countries.

Both the user and the company should be aware that the complexity of authentication is a "double – edged sword", since the higher the security, the lower the availability of the service.

Results​

The popularization of two-factor authentication and its mandatory use in a number of services is certainly a positive event from the point of view of information security. At the same time, you should not expect a long-term positive effect from this event, since complicating the attack chain by 1-3 steps does not turn the user's account into a safe.

Alexey Simtsov
Head of the Information Security Consulting and Audit Group of ICL Group

Two-factor authentication is an effective security measure that can significantly reduce the likelihood of a successful cyber attack. But do not forget that it is not 100% reliable, and cybercriminals are constantly finding new ways to compromise user accounts. While the third authentication factor can provide additional security, it will also require significant investment, and may also cause privacy and usability issues. As a result, users themselves should be responsible for their own security, using strong passwords, updating software, and being vigilant against all forms of fraud and cyberattacks. It is not superfluous to enable 2FA wherever possible, and make sure that you are using this method correctly.

The use of more than two factors is justified only if the user clearly understands why "their convenience suffers". Otherwise, it simply won't work fully, as the user will try to make it "user – friendly" in every possible way, which means that it is potentially vulnerable to hacking. In such a situation, the service may have false expectations about the sufficiency of protection. Which, at best, will be dispelled during the pentest, and at worst-as a result of the incident.

Yegor Petrov
Head of Advanced Information Security Solutions at Sissoft

Although these methods help eliminate the main attempts to hack accounts, hackers have learned how to bypass such protection. They do this not only with the help of social engineering, that is, through psychological manipulation of people, but also with the help of phishing attacks.
For example, consider the phishing attack in July last year, which was discovered by Microsoft. The cybercriminal managed to gain access to information by introducing a controlled proxy site between the future victim and the server that the user needed to log in to.

At the same time, we should not forget that in the corporate segment, a comprehensive approach is important, which may include not only multi-factor authentication, but also preventive differentiation of access to target systems between employees, regulation of user privileges, and the use of other software solutions, for example, based on behavioral analysis.